The Wire · Showcase
SPRING WS CLOSES THREE AUTHENTICATION SECURITY GAPS OVERNIGHT
By RepoJournal · Filed · About Spring
Spring Web Services shipped fixes for BSP enforcement, X.509 account validation, and RSA key transport defaults that were silently weakening cryptographic defenses across the stack.
Three separate authentication and encryption hardening changes landed in spring-ws that each contradict documented secure defaults. The bspCompliant flag defaulted to false despite Javadoc claiming true, disabling WSS4J's Basic Security Profile checks and opening the door to non-standard transforms and signature abuse [1]. X509AuthenticationProvider was issuing authenticated tokens without applying Spring Security's account lifecycle checks, allowing disabled, locked, or expired accounts to authenticate [2]. A third fix flips RSA PKCS#1 v1.5 key transport from enabled to disabled by default [3], aligning with WSS4J's safer posture. Meanwhile, spring-ws also hardened authentication failure messages to block account-status information leaks [4] and introduced stricter validation for WS-Addressing out-of-band reply destinations using a new UriSource classification system [5]. On the release front, Spring Security 7.1.0 shipped [12] alongside point releases for 7.0.6 [13] and 6.5.11 [14], with Spring Boot and Spring WebFlow pulling in these security updates [ref:6, ref:7, ref:8, ref:11]. Spring WebFlow v3.0.2 and v4.0.1 are out with improved Ajax error handling and default mapping expression parsing [ref:12, ref:13].
Action items
- → Upgrade spring-ws and audit X.509 authentication configurations immediately spring-projects/spring-ws [immediate]
- → Pull Spring Security 7.1.0, 7.0.6, or 6.5.11 depending on your line - verify opaque token introspector configs spring-projects/spring-security [immediate]
- → Review any WS-Addressing reply destinations currently allowing remote URIs without validation spring-projects/spring-ws [plan]
- → Update Spring WebFlow to v3.0.2 or v4.0.1 for Ajax handling and expression parsing fixes spring-projects/spring-webflow [plan]
References
- [1] Fix default BSP enforcement for Wss4jSecurityInterceptor spring-projects/spring-ws
- [2] Enforce UserDetails account state for X.509 authentication spring-projects/spring-ws
- [3] Reject RSA PKCS#1 v1.5 key transport for inbound WS-Security by default spring-projects/spring-ws
- [4] Harden auth failures against account-status information leaks spring-projects/spring-ws
- [5] Harden WS-Addressing out-of-band reply destinations spring-projects/spring-ws
- [6] Upgrade to Spring Security 7.1.0 spring-projects/spring-boot
- [7] Upgrade to Spring Security 6.5.11 spring-projects/spring-boot
- [8] Upgrade to Spring Security 7.0.6 spring-projects/spring-boot
- [9] Upgrade to Spring Security 7.0.6 spring-projects/spring-webflow
- [10] v3.0.2 ↗ spring-projects/spring-webflow
- [11] v4.0.1 ↗ spring-projects/spring-webflow
- [12] 7.1.0 ↗ spring-projects/spring-security
- [13] 7.0.6 ↗ spring-projects/spring-security
- [14] 6.5.11 ↗ spring-projects/spring-security
FAQ
- What changed in Spring on June 10, 2026?
- Spring Web Services shipped fixes for BSP enforcement, X.509 account validation, and RSA key transport defaults that were silently weakening cryptographic defenses across the stack.
- What should Spring teams do about it?
- Upgrade spring-ws and audit X.509 authentication configurations immediately • Pull Spring Security 7.1.0, 7.0.6, or 6.5.11 depending on your line - verify opaque token introspector configs • Review any WS-Addressing reply destinations currently allowing remote URIs without validation
- Which Spring repositories shipped on June 10, 2026?
- spring-projects/spring-ws, spring-projects/spring-boot, spring-projects/spring-webflow, spring-projects/spring-security